Threat Management Frameworks
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Threat management frameworks.
00:00
The learning objectives for this lesson are to
00:00
explain the MITRE Adversarial Tactics,
00:00
Techniques, and Common Knowledge or ATT&CK Framework.
00:00
To describe the ATT&CK for
00:00
industrial control system framework.
00:00
To define the diamond model of intrusion analysis,
00:00
and to evaluate the Cyber Kill Chain. Let's get started.
00:00
The MITRE Adversarial Tactics,
00:00
Techniques, and Common Knowledge,
00:00
or ATT&CK Framework, is a knowledge base of
00:00
real-world information about tactics,
00:00
techniques, and procedures.
00:00
It describes in detail how
00:00
a potential adversary would perform an attack,
00:00
and then it breaks it down into logical groupings.
00:00
For example, one of these groupings
00:00
would be privilege escalation.
00:00
We'll see that in more detail on the next slide.
00:00
If you'd like more information about the framework,
00:00
you can find it at the URL on the screen.
00:00
Here is the MITRE ATT&CK Framework.
00:00
If we go to privilege escalation,
00:00
we can go down through and look for a specific technique.
00:00
Clicking on that will give the details of
00:00
how that is used in the wild.
00:00
Keep in mind this is active information has been
00:00
collected by security researchers
00:00
and companies from around the world,
00:00
so this is real.
00:00
This is good information for you to take and make sure
00:00
that your systems are
00:00
hardened against these types of attacks.
00:00
MITRE also is created
00:00
an ATT&CK Framework for the industrial control systems.
00:00
It is also a knowledge base of
00:00
real-world information about TTPs for ICS.
00:00
You can find out more information about
00:00
this at the URL on the screen.
00:00
Very similar to the normal ATT&CK Framework,
00:00
it's broken down in the same way.
00:00
We can look up a delivery or a discovery,
00:00
or a different types of
00:00
the logical groupings and then scroll down through
00:00
there to find the different types
00:00
of techniques that have been discovered.
00:00
This is especially critical for ICS
00:00
because ICS system tend to be less protected,
00:00
less well defended and hardened.
00:00
Making sure that your ICS systems
00:00
are not vulnerable to these attacks
00:00
we'll take it a long
00:00
way to ensuring that your systems are secure.
00:00
The diamond model of intrusion analysis.
00:00
The key to remember about the diamond model
00:00
is that an adversary achieves
00:00
goals by using capabilities
00:00
over infrastructure against the victim.
00:00
These four words help make up the diamond model;
00:00
goals, capabilities, infrastructure, and victim.
00:00
For every intrusion,
00:00
an adversary moves towards their goals by
00:00
leveraging their capabilities
00:00
on infrastructure against victims,
00:00
and this will create an impact.
00:00
Every act of intrusion will indicate how an attacker uses
00:00
the different capabilities and
00:00
methodologies over infrastructure against the victim.
00:00
The diamond model also allows for
00:00
meta-features that are included in the model as ovals,
00:00
and they describe details that may be
00:00
included at the base level.
00:00
In addition, these meta-features may describe
00:00
technology and social-political aspects.
00:00
Here is a graphic of
00:00
the diamond model of intrusion analysis.
00:00
The Cyber Kill Chain.
00:00
This is a proprietary product that
00:00
was created by Lockheed Martin.
00:00
It describes the steps an adversary
00:00
must complete to achieve their goals.
00:00
It begins with reconnaissance.
00:00
This is gathering information about the target.
00:00
It may be using open-source intelligence, OSINT,
00:00
to find out who are the key players and
00:00
who are the people in different departments so
00:00
that you can better craft or phishing emails,
00:00
or it may be looking for information about the DNS.
00:00
Are there any subdomains that are not
00:00
common knowledge that may be would
00:00
be good attack vectors.
00:00
From there we go to weaponization.
00:00
This is when malware is
00:00
crafted that will be used in the attack.
00:00
Next, we move to delivery.
00:00
How the malware will be sent to the target site.
00:00
For example, this could be malware
00:00
delivered through a phishing email,
00:00
or it could be a weaponized payload on a website.
00:00
It can be many different things.
00:00
This is the last stage or I should say
00:00
the most important stage where
00:00
a defender can stop the attack from progressing.
00:00
If we can stop it from being
00:00
delivered we can stop the kill chain.
00:00
From there we move to exploitation.
00:00
This is when the tools that were delivered are
00:00
used to exploit vulnerabilities on the system.
00:00
After that we move to installation.
00:00
This is where we would see
00:00
backdoors being implemented by
00:00
the malware that was installed.
00:00
This is also a good stage to stop
00:00
the attack by using
00:00
host-based intrusion detection systems
00:00
or host-based intrusion prevention systems to
00:00
let us know that these are
00:00
being installed on our systems.
00:00
Finally, after that, I
00:00
should say we have command and control.
00:00
This is where the attacker now has
00:00
control over the networks and by using these backdoors,
00:00
they can come and go as they please to send out
00:00
additional commands to the malware
00:00
installed on the network.
00:00
Then finally, we have actions on objective.
00:00
This is where the attacker goes
00:00
about trying to achieve their objectives.
00:00
Are they there to steal information?
00:00
Are they there to use
00:00
your network to attack someone else?
00:00
Whatever it is, this is the goal they're
00:00
shooting for is the last step, step 7.
00:00
Summary. We went over
00:00
the MITRE Adversarial Tactics, Techniques,
00:00
and Common Knowledge or ATT&CK Framework and we also
00:00
discussed the ATT&CK Framework
00:00
for industrial control systems.
00:00
From there we went over the diamond model of
00:00
intrusion analysis and then
00:00
we went over the Cyber Kill Chain.
00:00
Let's do some example questions. Question 1.
00:00
This step in the Cyber Kill Chain describes how
00:00
adversaries will successfully use
00:00
tools to achieve a breach.
00:00
This is step 4, exploitation.
00:00
This is when the tools there have already been
00:00
uploaded will exploit vulnerabilities
00:00
to give the attacker access to the systems.
00:00
Question 2. This model states adversary achieves
00:00
goals by using capabilities
00:00
over infrastructure against victims.
00:00
This is the diamond model of
00:00
intrusion analysis. Question 3.
00:00
This is a knowledge base of
00:00
real-world adversary tactics and
00:00
techniques broken into groups
00:00
with matrices for each group.
00:00
The MITRE Adversarial Tactics, Techniques,
00:00
and Common Knowledge or ATT&CK Framework.
00:00
Which framework would be used for ICS?
00:00
ATT&CK for industrial control systems, also by MITRE.
00:00
Hope this lesson was useful
00:00
for you, and I'll see you in the next one.
Up Next
Instructed By
